Microsoft Forefront Client Security Tarek Online! Tarek online! Page 2- 15 System Center Operations Manager 2007 in Egypt http://tarek-online.blogspot.com Cairo-Egypt Table of Contents
Microsoft Forefront Client Security Tarek Online! Tarek online! Page 3- 15 System Center Operations Manager 2007 in Egypt http://tarek-online.blogspot.com Cairo-Egypt 1. Overview After install Microsoft forefront client security, we need to configure the server and all related component to get the best result from FCS server. The following items will be discussed through this guide:
Configure windows client firewall Configure WSUS server Deploy client security Manually deploy forefront client security client Create client security policy Deploy client security policy Distributing definition and engine updates Controlling access to FCS MOM consoles
Microsoft Forefront Client Security Tarek Online! Tarek online! Page 4- 15 System Center Operations Manager 2007 in Egypt http://tarek-online.blogspot.com Cairo-Egypt 2. Configure windows client firewall Before deploy Client Security to client computers, you need to ensure the required ports are opened between the client and the server The following table list all ports required to allow communication between the FCS client and server.
Computer Connection Port (protocols) Client computers To connection server 1270 (TCP and UDP) Client computers To distribution server 80 (TCP) or 8530 (TCP) or custom The ports are related to FCS communication, this list did not list the ports and protocol required for GPO and DNS and Kerberos and LDAP queries. This ports can be opened manually, using the following steps: From Control Panel, double-click Windows Firewall. Click the Exceptions tab, and click Add Port. Type the name, port, and select the protocol type TCP or UDP. You can configure this ports using GPO , and this is the recommended method: Open GPMC and use create and link GPO here to create a linked GPO. Open the GPO , computer configuration , administrative templates, Network , Network connections , Windows Firewall, domain profile Choose Windows Firewall: Allow define port exceptions, choose enable and click show. click Add , add the exception using the formula PORT:Transport:Scope:Status:Name The policy element will be as below FCS server IP address is 10.0.0.20 1270:TCP:10.0.0.20:enable:1270 TCP 1270:UDP:10.0.0.20:enable:1270 UDP 80:TCP:10.0.0.20:enable:distribution server 8530:TCP:10.0.0.20:Enable:distribution server 2
If you configure the client windows firewall using GPO before, you need to add this firewall element only. Microsoft Forefront Client Security Tarek Online! Tarek online! Page 5- 15 System Center Operations Manager 2007 in Egypt http://tarek-online.blogspot.com Cairo-Egypt 3. Configure WSUS server Microsoft WSUS server Ver. 3 will be configuring with the following:
Configure products, and classifications: Open WSUS console, choose options Click products and classifications. In products tab , choose forefront client security In classifications tab, choose critical update, definations updates, security updates, and updates.
Configure synchronization schedule: Open WSUS console, choose options Click synchronization schedule. Choose synchronize automatically, and choose synchronizations per day to be 4 times.
Configure Automatic approvals: Open WSUS console, choose options Click Automatic approvals. Click new rule, and type the name as FCS updates. Configure the rule as when an update is in critical updates ,definition updates, security updates, updates. When the updates in forefront client security. Approve the update for all computers. Microsoft Forefront Client Security Tarek Online! Tarek online! Page 6- 15 System Center Operations Manager 2007 in Egypt http://tarek-online.blogspot.com Cairo-Egypt 4. Deploy client security There are two options to install client security:
Download and install client security from the distribution server:
This is the easy way to install client on the required machine This option you need to target this computer with at least one policy from the client security server. After create and deploy the policy, the process will start automatically.
Deploy the client using command line:
Use this option to deploy client before deploy the forefront security policy. Use this option if the computers are not a domain member. You can use the command line to deploy clients using SMS 2003, SCCM , SCE 2007 , or GPO. The command is located at CD Drive: \Client for 32 Bit clients , or CD Drive:\Client\X64 for 64 Bit Clients.
Command line Parameter:
ClientSetup.exe / MS <MOM Collection Server Name> / CG <MOM Config Group Name> [ / I <I nstall Path>] [ / L <Log Path>] [ / R] [ / NOMOM]
/MS Collection Server Name (Required if /CG present) /CG Config Group Name (Required if /MS present) /I Install Directory (Optional) /L Log Directory (Optional) /R Force reinstall of all MSIs (Optional) /NOMOM Installs all MSIs except MOM agent (Optional)
Example:
ClientSetup.exe / MS TAR-FCS01 / CG FCSMG /R ClientSetup.exe / MS TAR-FCS01 / CG FCSMG / I c:\program files\forefront\ / R
The command line installation will be useful in the following cases: Dont want to deploy any client policy at this time Dont want to deploy MOM client agent. Use GPO to deploy the client security. Use the SCCM, SCE 2007, SMS 2003 to deploy client.
Microsoft Forefront Client Security Tarek Online! Tarek online! Page 7- 15 System Center Operations Manager 2007 in Egypt http://tarek-online.blogspot.com Cairo-Egypt 5. Create client security policy After decided, how we will deploy the client security, we need to control the client using security policy. A Client Security policy is a collection of settings that you can apply to many client computers. Use Policy Management tab in the Client Security console to create, modify, delete, and deploy the policy. When creating the policy, it will not affect any computer until deploy this policy. To create a policy, open client security management console, and choose Policy Management tab.
To create a new policy, simply click New. Type the policy name and comments about this policy.
Microsoft Forefront Client Security Tarek Online! Tarek online! Page 8- 15 System Center Operations Manager 2007 in Egypt http://tarek-online.blogspot.com Cairo-Egypt Click protection Tab, configure virus protection, and spyware protection to On Virus protection, and spyware protection can be configured to be on , off, User controlled. On Malware scanning, click use real-time protection ( scan programs and services when they are accessed) , Run a Scan at this time. Choose to run scan every day at 12:00 PM, the type of the scan will be Full Scan. Choose Run a quick scan at set interval(hours) and choose 12 hours. You can create only one schedule for both virus and spyware protection. The Task Scheduler service must be enabled and running on client computers to run scheduled and interval scans. On security state assessment, choose scan at set interval (hours) to be 12 hours. For scheduled events, Client Security creates hidden tasks on client computers. To view hidden tasks, open Scheduled Tasks, click Advanced, and then click View Hidden Tasks. You can allow user to schedule scans, select User controlled on start time Under Malware scanning.
Microsoft Forefront Client Security Tarek Online! Tarek online! Page 9- 15 System Center Operations Manager 2007 in Egypt http://tarek-online.blogspot.com Cairo-Egypt On advanced tab, we will configure malware definition updates, malware scan options, exclusions from malware scans, and client options. On malware definition updates, select the Check for updates before starting a scan check box , this option will configure the client to check the distribution server for update before start scan Select the Check for updates at set interval check box and type the number of hours between definition-update. Select the Check for updates on Microsoft Update when WSUS is unavailable check box, to allow client to check for update in case the WSUS server is unavailable and to fallback to Microsoft Update. On malware scan options, choose scan archive files, and Use heuristics to detect suspicious files. On exclusions from malware scans, configure the file and folder paths and extensions which will be excluded from the scan. On Client Options, choose User can view all Client Security agent settings and messages, only administrators can change Client Security agent settings, and Allow users to add exclusions and overrides. By configure the above Client options, View notification area icon and status messages will be available to all users , Open Client Security agent and run scans, Change user-controlled settings, and Add exclusions and overrides will be available only to the local Administrators. Choose Prompt users when unclassified software is detected, to allow users to control unclassified software to run or not.
Microsoft Forefront Client Security Tarek Online! Tarek online! Page 10- 15 System Center Operations Manager 2007 in Egypt http://tarek-online.blogspot.com Cairo-Egypt On Overrides tab, configure overrides to default malware responses and to view the default response, category, and severity of malware.
On reporting tab, specifies the frequency with which alerts are generated by computers protected by this policy. Alert level 5 results in the most alerts, and alert level 1 results in the fewest. Choose Alert 4-High, so all alerts for all client security conditions except a successful response to malware on the network. On logging , by default Client Security generates events on client computers for many events Dont select Do not log events for files marked "Unknown" on SpyNet, choose basic so Client Security sends basic information about detected items and the actions you apply. In some instances, personal information may be sent but no information is used to contact users. In case the internet access is provided using Proxy server ,select Use other proxy server and port and type the proxy name or IP address and port used as ISA.TAREk.LOCAL:8080 Click OK to finish the policy. You can create a lot of policy but none of these will be active until you deploy it. Microsoft Forefront Client Security Tarek Online! Tarek online! Page 11- 15 System Center Operations Manager 2007 in Egypt http://tarek-online.blogspot.com Cairo-Egypt
At any time you can Edit this policy and change the client setting You can copy the policy setting to new one and edit some setting and save it with new name.
Microsoft Forefront Client Security Tarek Online! Tarek online! Page 12- 15 System Center Operations Manager 2007 in Egypt http://tarek-online.blogspot.com Cairo-Egypt 6. Deploy client security policy After creating the required policy, you need to deploy this policy. Policy can deployed for OU in active directory, or a computer group in active directory, or can be exported to file and used by command line for workgroup computers and also domain member computers. Choose the policy you want to deploy and click deploy. Choose the right way you need to deploy the policy by add OU , Add Group , Add GPO ,or Add File. Client Security policies apply only to computers, not to user accounts. To remove previously deployed policy, you must either deploy a different policy to the computer or you undeploy the unwanted policy. Security-group policies Add Group override policies deployed to OUs Add OU.
After deploy the policy, a new GPO will be created to apply the setting of client security If you deploy the policy on an OU the policy name will be as FCS-policy name - GUID-2 If you deploy the policy to a security group the policy name will be as FCS-policy name - GUID-3 If you deploy the policy for a security group, the created GPO will be linked to the domain level.
Microsoft Forefront Client Security Tarek Online! Tarek online! Page 13- 15 System Center Operations Manager 2007 in Egypt http://tarek-online.blogspot.com Cairo-Egypt
When you deploy the policy to a File, a registry file will be created. Use the FCSLOCALPOLICYTOOL.EXE tool to deploy the policy , the tool is located at CD ROM :\CLIENT folder or CD ROM :\CLIENT\X64 To deploy the policy the command FCSLOCALPOLICYTOOL.EXE /I TarekPolicy.reg /F /F used to dont ask for confirmation To delete the deployed policy use the command FCSLOCALPOLICYTOOL.EXE /D
Microsoft Forefront Client Security Tarek Online! Tarek online! Page 14- 15 System Center Operations Manager 2007 in Egypt http://tarek-online.blogspot.com Cairo-Egypt 7. Distributing definition and engine updates Client Security is designed to use WSUS to distribute definitions and scan-engine updates to client computers. You can download and install update manually from the link below: http://technet.microsoft.com/en-us/forefront/clientsecurity/bb508812.aspx The definitions that WSUS downloads are contained in update files. The updates can be for definitions, for the scan engine. So you need to choose definitions and updates in WSUS setting The files are digitally signed. The size of update is varied, the base set of definitions is about 1 megabyte (MB), and the delta set is about half that size or 500 kilobytes (KB). When the scan engine is included in an update, the file size can reach 15 MB.
Microsoft Forefront Client Security Tarek Online! Tarek online! Page 15- 15 System Center Operations Manager 2007 in Egypt http://tarek-online.blogspot.com Cairo-Egypt 8. Controlling access to FCS MOM consoles After the installation of Microsoft forefront client security server, you will get four groups located at the local security group on the server: MOM administrators: MOM Administrators can view and modify settings in the Operations Console and in the Operations node, Management Packs node, and Administration nodes in the MOM Administration Console. MOM authors: MOM Authors can view and modify settings in the Operations Console, and in the Operations node and Management Packs node in the MOM Administration Console. MOM service: Intended solely for use by MOM services and processes. Individuals should not be a member of this group. MOM users: MOM Users can view and modify settings in the Operations Console and the Operations node of the MOM Administration Console.
To allow access to MOM Operator console, add the user or the group to Mom Users, and Distributed COM Users. To allow access to MOM administrator console, add the user or the group to Mom Authors, and Distributed COM Users.